Splunk custom index not getting incident in xsoar

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Splunk custom index not getting incident in xsoar

L1 Bithead

I am using splunk 60 day free trial non-enterprise edition and created a new custom index in splunk and manually added a sample event csv format file in the new index and all date is 2 days ago sample data

splunk integration with xsoar does not generate any incident, is there a configuration and timestamp problem?



Screen Shot 2022-03-11 at 1.33.40 PM.pngScreen Shot 2022-03-11 at 1.34.28 PM.pngScreen Shot 2022-03-11 at 1.37.39 PM.png

5 REPLIES 5

L3 Networker

Hi @Manikandan_sam , is this the first time you are configuring the XSOAR integration with Splunk? If yes, you may want to change the First fetch timestamp to 2 or 3 days, to capture incidents that were created before. If not, please check if certain incidents were missed while others were created, and open a support case with screenshots and logs.

yes this is my first time integrating splunk
that sample log file is a data day (March 3) for testing so I loaded it into splunk add data and created a custom index

example:

that the log file data is only from March 3rd and how to use timestamp lookup and I already use that custom query in splunk config

when i search xsoar cli !splunk-search query="index=notes" it shows index data and i can also parse the specific url and ip field in the playbook

So is this the proper method to use Splunk custom index to get all the data into xsoar?

L2 Linker

Hello!
1. Please also try encapsulating the index name as per default example when creating new instance. eg.

search `notes` | expandtoken
2. Reset timestamp - unless you know you have new data coming in or within the look back windows (15mins by default)
3. Double check you you have latest content pack installed
4. double check time on your new system (sync with NTP)
5. You can debug a test fetch with: !<instance_name>-fetch debug-mode=true
     reference - xsoar.pan.dev/docs/reference/articles/troubleshooting-guide 
Please let us know how you go!

thank for the replay

  1. I tried this query giving error search `notes` | expandtoken
    if i use this query search index="notes" it works correctly but not show any data
    Screen Shot 2022-03-18 at 8.39.38 PM.png
  2. my custom data is manually created (add data) uploaded csv file
    i also reset the time but i still don't get it
  3. yes content pack installed
  4. yes new system (synchronization with NTP)
    Screen Shot 2022-03-18 at 8.58.14 PM.png
  5. checked debug mode
    Screen Shot 2022-03-18 at 9.00.32 PM.png
  6. my custom data is from 3rd March and time also different but i uploaded it today and 2 days ago my raw file is showing in cli command but when i changed settings again it shows empty index

    how to change my timestamp and get data
    Screen Shot 2022-03-18 at 9.06.56 PM.png

The error indicates permission related to the Index or macro..
I do see you have the 'first fetch' look back to 3 months which should find data otherwise. If this was the first fetch.
I suggest testing the query in Splunk API directly and double check your API permissions. 
https://docs.splunk.com/Documentation/Splunk/8.2.5/RESTTUT/RESTsearches

Do you get same error on your original search query without using expand token?

jgomes_0-1647874915534.png

Perhaps try that again with larger window.. like 1 month+ to cover time the data datetime range

If XSOAR has fetched once already (the radio button for fetch in integration) then it will fetch the look back window once, then every minute (for the last minute) by default. Here you should delete instance and create a new one, so the first fetch goes back one month as configured.  First use test to ensure no permission issues. Hope this helps.

  • 3723 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!